CVE-2020-19288

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Jeesns version 1.4.2 within the /localhost/u component. The bug allows an attacker to inject arbitrary web scripts or HTML by sending a crafted payload in a private message, which is stored and later executed in the browser of any user viewing the message [1][2].

Exploitation

An attacker must have the ability to send a private message to a Jeesns user. No elevated privileges are required; the attacker only needs a valid account. The crafted payload is included in the message body and, once sent, is stored on the server. Any user who views the private message will trigger the XSS payload in their browser [1][2].

Impact

Successful exploitation leads to arbitrary script execution in the context of the victim's browser. This can result in theft of session cookies, defacement, or other client-side attacks, potentially compromising the victim's account and data within the Jeesns application [1][2].

Mitigation

The issue has been addressed in later commits of the Jeesns project. Users should upgrade to a version newer than 1.4.2 where the fix is applied. No official patch release date is specified, but the repository maintainers have closed the issue as fixed [2]. There is no known workaround for unpatched versions.